Data Protection

The Data Protection Act (DPA) sets out rules for processing personal information. It gives certain rights to individuals and it also says that those who record and use personal information must adhere to eight data protection principles.

This page summarises the general obligations which apply to the House of Commons and the House of Lords as data controllers under the DPA:

The House of Commons and the House of Lords are separate data controllers. Use the links on the left hand side of this page to see the policies that apply specifically to each House and to find out how to request access to your personal data.

Individual Members of Parliament (MP's) are data controllers in their own right. Requests for your own personal data that is held by an MP should be sent directly to that MP and not to the House of Commons. Supporting guidance for MP's is available on the House of Commons page.

The data protection principles

Personal data shall be:

1. Fairly and lawfully processed 2. Processed for limited purposes 3. Adequate, relevant and not excessive 4. Accurate 5. Not kept for longer than is necessary 6. Processed in line with an individual's rights 7. Secure 8. Not transferred to other countries without adequate protection

Data subject rights

Under the Data Protection Act (DPA) individuals may ask, in writing, to see information that is held about them. This is known as a 'subject access request. A data controller may ask for the following before processing a subject access request:

a fee of £10 to be paid 

more information to enable them to locate the requested information, 

and adequate proof of identity from the applicant before considering the request

A response to a subject access request will be given within forty calendar days of receipt of the above.

Relationship with FOIA

Requests for access to personal data that are made by someone who is not the subject of that personal data are not subject access requests. These should be considered under the Freedom of Information Act, but the information will not be shared if doing so will breach one of the data protection principles.

Exemptions

There are a number of exemptions contained in the Act. These may apply to the right of subject access or to the duty to comply with one or all of the principles. Examples of exemptions include:

crime and taxation 

parliamentary privilege 

research, history and statistics 

confidential references 

legal professional privilege

Further details on the exemptions and how they apply can be found on the Information Commissioner's website www.ico.org.uk

Complaints and appeals

You are entitled to complain to us if you are not happy with the response to your subject access request or with our handling of your personal data. Your complaint will be reviewed internally, according to the procedure of the House who handled your request. If you are not happy with the internal review of your request, you can appeal to the Information Commissioner's Office www.ico.org.uk

Related information

Information Commissioner

The Information Commissioner's Office is the UK's independent authority set up to promote access to official information and to protect personal information. Further information about relevant laws is available on the Information Commissioner's Office website.

Relevant legislation

The official, revised edition of relevant legislation can be found in the UK Statute Law Database through the following links